Command-and-Control Providers (C2P) Abuse Wyoming Shell Companies for Attack Infrastructure

Reuters has now documented three recent cases where Wyoming-based LLCs have been implicated as Command-and-Control Providers (C2P) providing attack infrastructure to foreign threat actors for conducting cyberattacks.

‍

"It's the virtual Wild, Wild West," Sarah Beth Felix who runs an anti-money laundering advisory firm, told Reuters. that Wyoming made registering anonymous shell companies so easy that foreign threat actors "don't have to be physically in Wyoming to hide out in Wyoming."

‍

Reuters said that cybercriminals use these companies and the infrastructure they provide to make malicious internet traffic appear as if it were coming from the United States, which makes it less likely to get flagged or blocked than if the actual origin, such as Russia or Iran, were known.

‍

“LLCs, like corporations, shield their owners from certain forms of liability but tend to be easier to set up. Because Wyoming allows registered agents – in-state representatives – to serve as the public point of contact for LLCs, their ownership can be kept secret from the wider public,” Reuters explained.

‍

The other cases Reuters identified include a DDoS operation that knocked offline the Vienna-based International Press Institute offline. It took the IPI about 10 days to fully restore the website, and the malicious traffic was traced back to a Wyoming-based hosting company called HostCram.

‍

And in August Reuters wrote about how anti-ransomware firm Halcyon uncovered an Iran-linked internet company registered in Wyoming called Cloudzy that was observed providing services to "a rogue's gallery" of state-sponsored espionage and cybercriminal threat actors through Wyoming-based company RouterHosting LLC.

‍

Takeaway: Back in August, the Halcyon Research and Engineering Team exposed yet another major player in the Ransomware Economy that has been facilitating ransomware attacks as multiple state-sponsored APT operations: Command-and-Control Providers (C2P).

‍

Akin to Bulletproof Hosting companies who cater to attackers and criminals and allow malicious activity to thrive on their networks, there are also ostensibly legitimate ISPs who are acting as Command-and-Control Providers (C2P) and sell services to threat actors while assuming an otherwise legal business profile.  

‍

“What stood out most to us is the fact that we have ostensibly legitimate ISPs providing attack infrastructure to nation-state threat actors, ransomware operators, and other possibly sanctioned entities while under no obligation to take any action whatsoever to stem the illicit activity,” Ryan Smith, CTO and co-founder at Halcyon, told The Record.

‍

“In fact, they are profiting from it… These Command-and-Control Providers — knowingly or unknowingly — are essentially another pillar in the global attack ecosystem, and a major player in the ransomware economy.”

‍

C2Ps rely on legal loopholes in their Terms of Service and Privacy Policies that do not require them to vet their customers, enabling threat actors to abuse their platforms for malicious operations while enjoying plausible deniability.  

‍

In the Halcyon report, titled Cloudzy with a Chance of Ransomware: Unmasking Command-and-Control Providers (C2Ps), researchers also demonstrated a unique method for identifying C2P entities and actually observe the precursors to major ransomware and espionage campaigns as the attack infrastructure is being set up.

‍

Halcyon used this method to identify two previously undisclosed ransomware affiliates tracked as Ghost Clown and Space Kook who were observed deploying BlackBasta and Royal payloads, respectively.

‍

This methodology, detailed in the report, led the researchers to a particularly good example of how C2Ps operate and stay below the radar of security teams – an ISP called Cloudzy – which is registered in the U.S, but is most likely actually operating out of Iran.  

‍

“Initially, Halcyon suspected that the person or entity doing the leasing was a criminal infrastructure broker, a part of the underground ransomware ecosystem, akin to an initial access broker or malware developer,” the report states.

‍

“To our surprise, Halcyon was able to successfully purchase servers with the identified RDP hostnames from one of the ISPs, and only one: the C2P Cloudzy. More precisely, these hostnames appeared on servers provisioned using their ‘RDP VPS’ service. We had our answer.”

‍

Threat actors that are assessed to be leveraging Cloudzy include APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civilians; several criminal syndicates and ransomware affiliates whose campaigns have spurred international headlines.

‍

It was assessed that (potentially) between 40% - 60% of the overall activity could be considered malicious in nature. Halcyon recommends that the technical readers of the report use the Indicators of Compromise (IOCs) appended below to search their networks for any of the malicious activities we tied to C2P Cloudzy.

‍

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.